Millions of Medibank customers’ private information was published on the deep web on Wednesday by hackers linked to one of the world’s most infamous criminal gangs.
In another chilling message overnight, they revealed details of their ransom demand and released sensitive details of customers’ medical procedures.
Some experts say that if past form (and mythology) provides any clue, it is unlikely that this is where the Russian extortion racket that trades on a reputation for cruelty to victims intends to leave things.
The data release, revealed on Wednesday by The New Daily, and the unsuccessful public negotiation for ransom was all done under the name REvil.
But it’s what they might do next that has captured attention.
World-leading extortionists?
The name might be suggestive of a James Bond nemesis but the world’s most prolific organised data thieves have been behind about half of all ransom attacks online and claim to have earned $100 million or more doing it.
A typically smash mouth approach to negotiations caused 7000 workers for the JBS meatworks in Australia and the US to be stood down without pay last year after the business was crippled as part of negotiations.
US officials reckon cryptocurrency payments worth $200 million followed its next hack, on Travelex. But it might have been REvil’s undoing.
Perhaps fittingly for a group that operates in the shadows, most things to do with REvil are contested, including by credible American experts who disagree about whether it was behind the Medibank hack.
Not long after the Travelex job, key figures associated with REvil were captured. They included its 22-year-old Ukrainian mastermind and more key figures in Romania.
(As with much international fraud, nationals from the former centres of mathematics in the Soviet Union often emerge as the brains behind organisations everyone just calls Russian).
REvil redux?
The group claimed another job on an even larger scale and asked for a $70 million ransom last July.
That was credited with putting the scourge of ransomware on the international agenda in talks between Vladimir Putin and Joe Biden.
Perhaps not coincidentally, its website went dark not long after – and most curiously – its last victim got their data back.
Since then the group claims it has reformed with a new website that bears some technical similarities and a trademark rude tone.
“It very well could be REvil attacks, but we can’t be 100 per cent sure as anyone can claim to be from any hacking group,” Larry Cashdollar, a top American security researcher who has studied the group’s attacks, told The New Daily.
Decentralisation and specialisation are part of what made the group so successful, including its permanent recruitment drive advertised with $1 million in Bitcoin to motivate applicants.
But those responsible for any one of the gang’s hacks could theoretically have been members of a rotating cast based anywhere.
With security experts warning Medibank customers they should expect further data releases, the question of who was behind the hack becomes more important.
Automatic cruelty was part of the REvil business model and the reputation that it relied on: Missing a payment or dropping out of negotiations caused ransoms to double.
More recently, individuals were made to pay if corporations would not.
In a survey, IBM estimated about one-third of the gang’s victims used to pay up; one-third had their personal information stolen and, in a more recent development, victims’ data was sold via auction – a process designed to build pressure for restarting negotiations.
How long do sales take to conclude?
“It depends on how the criminal markets are moving,” Mr Cashdollar said.
Penchant for cruelty
On Wednesday, after Medibank revealed it had refused to pay a demanded ransom, REvil released screenshots of its approach to the insurer’s chief executive, David Koczkar (including his mobile number).
Just like the old heists though, the Medibank job was perpetrated by criminals who like to taunt their victims.
“Hi! As your team is quite shy, we decided to make the first step in our negotiation,” they said.
The group followed with threats to publish customer data.
“in the event of a negative outcome of the negotiations for us, we will do everything in our power to inflict as much damage as possible for you, both financial and reputational,” they wrote.
The open question now is how serious it is about inflicting such pain on Medibank customers and by what means.
In a cruel taunt to Medibank customers, the hackers released a list of only a few hundred names on Wednesday.
It included a list labelled “naughty” that comprised people whose medical records showed they had been treated for substance addiction, including at exclusive clinics such as the Sydney Clinic.
The criminals had previously said they would release data related to people who had the “most followers” or were high profile, including “politicians, actors, bloggers, LGBT activists” and suggested they would explicitly prey on people with sensitive medical histories.
On Wednesday, they apologised for the unorganised state of the data dump containing millions of Australians’ records.
The clear implication was that more was to follow.
Precautions pay
“It’s likely the data will be sold and leaked on the dark web as this drags out,” Mr Cashdollar said.
“The victims should make arrangements to possibly freeze their credit and ramp up their own personal security.”
He suggested putting a password on mobile phones to stop the carrier being changed remotely and to use two-factor authentication for accounts signed into online.
Troy Hunt, a Microsoft regional director and international authority on data breaches, has seen enough hacks to view them with perspective.
Whether or not the Medibank hackers are who they claim to be, he said, was irrelevant.
The outcome, he said, would be the same.
“These crews are dependent on following through on their threats in order to be taken seriously,” he said.
“Folks have been doing [these] sort of things that for many, many years ran successfully. It’s a pretty well-known, proven business model and there’s lots of people in the game.”
Mr Hunt always advises caution (his world-leading register of cyber security breaches haveibeenpwned.com shows his own password has fallen into the hands of bad actors 28 times) and to keep passwords updated and managed by a secure program.
He thinks many Medibank customers may start perceiving vulnerabilities that were always there in a world where identity theft is a constant threat.
“There are people out there who get the data from all sorts of different locations, and then they try to scam you,” he said.
“It kind of doesn’t change that.
“On the other hand, the biggest problem we’ve got now is a huge number of people very interested in this incident because it impacts them personally.
“Inevitably we’re gonna see more phishing [scam sites tricking people to input their passwords]; we’re gonna see ransoms escalate very, very rapidly, and I’m sure it’s happening already.
“But hopefully these events bring all this stuff a little bit more into the forefront of everyone’s mind.”
